Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

People who like this

2 Answers

Within the app, there is a Help menu and under that a Documentation menu item. If you select that, it should provide some guidance. Additionally, the Documentation from the app page on the Splunk App portal (http://apps.splunk.com/app/1629/) will provide the same detail.

The short answer is that you need to generate a client certificate from the Sourcefire Defense Center. This can be done from the System > Local > Registration menu. Once there, select the appropriate events from the left, then hit Save. Next, use the Create Client button to generate a client certificate. Download that certificate and place it on the Splunk server where the app resides, and put the path to that certificate in the box you're asking about.

Thanks a lot Colin for the quick answer. I was able to follow it and get the certificate downloaded from defense center and pointed to from splunk. But when I run traffic through virtual device, I don't see anything showing up on splunk eStreamer app. I.e. I don't see the flow events. I guess the problem is on the config of defense center : I only see the following log types. Discovery Events Correlation and White List Events Impact Flag Alerts Intrusion Events Intrusion Event Packet Data User Activity Intrusion Event Extra Data Malware Events File EventsAny idea?

You can download a nice KB article from within your Sourcefire account that explains exactly how to do this almost step by step. The name of it is "eStreamer Integration Guide". You'll find that you need to install several Perl modules on your Splunk server before eStreamer will work.

Thanks @tosilesi for the pointer. I am having my sales guy to get an account for me. At this point, I have installed all the perl module needed on the linux running splunk and estreamer client seems to run fine. I guess I will need to look at the guide for eStreamer configuration. Thanks.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.